Open Source and Free Tools

for Incident Response Teams

Ladislav Bačo
whoami
◦ Malware and forensics analyst
◦ Former head of Analytical Department and Department of Cyber
Threat Analysis, governmental team CSIRT.SK
◦ Analyst at Lifars LLC

◦ https://twitter.com/ladislav_b
Why?
◦ Save establishment budget for small CSIRT/CERT
◦ Clever and engaged people required
◦ Money vs Time

◦ Overview of (hopefully) useful tools unknown to many people

Team cooperation
◦ E-Mails, calendars, contacts
◦ Postfix, Dovecot
◦ Roundcube, RainLoop
◦ ThunderBird
◦ iRedMail, Zimbra
◦ GPG - Kleopatra
Team cooperation
◦ Team chat
◦ Rocket.chat
◦ Mattermost

◦ Collaborative documents (notepads)

◦ Etherpad
◦ Wiki & Docs
◦ MediaWiki, DokuWiki
◦ MkDocs
Team cooperation
◦ Project and task management
◦ OpenProject
◦ Wekan
◦ Kanboard
Team cooperation
◦ Secure access - 2FA
◦ Certificates – only authorized persons can access the interface
◦ Secure messaging, (group)calls, video, screen sharing
◦ Signal, Telegram, Wire... but no one-fits-all
Incident handling, response, infoshare
◦ Ticketing system – mails, calls, notes, customers, stats,...
◦ RTIR, OTRS
◦ Redmine
Incident handling, response, infoshare
◦ TheHive Project
◦ Demisto Free Community Edition
Incident handling, response, infoshare
◦ Vulnerability, news, advisories
◦ Taranis3
◦ IoC sharing
◦ MISP
◦ IoC checker by CSIRT.SK

◦ Integrations
◦ Automatization!
OSInt, Recon, Threat Intelligence
◦ OpenSource Intelligence and Recon
◦ GeoIP, WhoIS, passive dns
◦ VirusTotal, Google Safe Browsing, urlscan.io, urlhaus
◦ Google Dorks (GHDB)
◦ Shodan, Censys, (nmap)
◦ Maltego CE
◦ TorBrowser, VPNs, Proxies
OSInt, Recon, Threat Intelligence
◦ Feeds collecting and processing
◦ IntelMQ, Warden
◦ Threat Intelligence
◦ RiskIQ, OpenCTI
◦ ThreatMiner, ThreatConnect
◦ ??Relevant Feeds??
◦ RecordedFuture CyberDaily
Forensics
◦ Live Forensics and Incident Response
◦ SysInternals Suite (ProcExp, Autoruns, Sysmon), Nirsoft utilities
◦ debsums
◦ Image acquisition and mounting
◦ dcfldd, dc3dd, FTK Imager Lite
◦ Affuse, winregfs
Forensics
◦ Log and filesystem processing
◦ Photorec, recuva, diskdigger, scalpel
◦ Lynis, ClamAV (and others AVs), chkrootkit, rkhunter
◦ Log2Timeline + grep, sed, awk, perl, python + LibreOffice Calc (or
Excel)
◦ Log Parser Lizard
◦ (autopsy), apache-scalp, ELK (Elastic+LogStash+Kibana)
Forensics
◦ Memory acquisition
◦ FTK Imager Lite, winpmem, LIME
◦ Memory analysis
◦ Rekall, volatility
◦ profiles
◦ Endpoint analysis
◦ Google Rapid Response (Rekall included)
Forensics
◦ Linux distributions
◦ CAINE Live
◦ Kali
◦ SIFT Workstation
Malware Analysis
◦ Online services
◦ Repos and DB
◦ VirusTotal, VirusShare
◦ Sandboxes
◦ Hybrid-analysis, Any.Run
◦ Classification
◦ Intezer, NoDistribute
Malware Analysis
◦ Offline services
◦ Repos and DB
◦ viper
◦ Sandboxes
◦ Cuckoo
◦ Classification
◦ (IRMA), Malice, VirusChecker
◦ Remember, integrations and automatization
Malware Analysis
◦ Offline services
◦ Repos and DB
◦ viper
◦ Sandboxes
◦ Cuckoo
◦ Classification
◦ (IRMA), Malice, VirusChecker
◦ Remember, integrations and automatization
Malware Analysis
◦ Static analysis
◦ PE Tools, oletools
◦ PEStudio, Resource hacker
◦ Strings (also strings –e l)
◦ Bytehist, densityscout
◦ CyberChef, xortool
◦ Didier Stevens Suite
◦ Hiew Demo
◦ Far Manager + plugins
◦ Binvis.io
Malware Analysis
◦ Behavioral analysis
◦ VirtualBox, Qemu
◦ ReactOS, modern.ie
◦ inetsim, dnsmasq, FakeNet-NG
◦ SysInternals (procmon, sysmon)
◦ NirSoft (NetworkTrafficView, …)
◦ WireShark, Burp
◦ procdot
Malware Analysis
◦ Debugging
◦ Gdb-dashboard, edb
◦ WinDbg, Immunity debugger
◦ Mona
◦ x64dbg
Malware Analysis
◦ Reverse-engineering
◦ Radare2 + Cutter, Ghidra
◦ Hopper, Binary Ninja
◦ Ida 7.0 Freeware
◦ Snowman decompiler
◦ Mono Develop, ILSpy, dnSpy, de4dot
◦ jd-gui, bytecodeviewer
◦ Beautifier.io, onlinedisassembler.com
Malware Analysis
◦ Distributions, OS
◦ REMnux
◦ Flare-vm
Monitoring, detection
◦ Plenty of tools
◦ IDS,IPS, SIEM
◦ Suricata, Zeek (Bro), Snort, AlienVault OSSIM, SIEMonster, Elastic
◦ Packate capture and analysis
◦ Molo.ch, SiLK, Malcolm
◦ Malicious traffic detection
◦ Maltrail
◦ Log processing and correlation
◦ sec (perl)
What next?
◦ And many more tools
◦ Pentesting, auditing, …
◦ For beginning, don’t need to have everything
◦ Start with incident handling and scale-up
◦ Quality > quantity (feeds, tools,…)
◦ Context
◦ Focus on relevant risk
◦ Increased efficiency => better security
References, picture sources
◦ https://www.zimbra.com/open-source-email-overview/
◦ https://mattermost.com/
◦ https://etherpad.org/
◦ https://kanboard.org/
◦ https://signal.org/
◦ https://en.wikipedia.org/wiki/OTRS
◦ https://go.demisto.com/hs-fs/hubfs/demisto-thank%20you/banner_img.png
◦ https://github.com/TheHive-Project/TheHive
◦ https://github.com/NCSC-NL/taranis3/wiki/Admin-Configure-Software-Hardware
◦ https://www.misp-project.org/features.html
References, picture sources
◦ https://www.paterva.com/buy/maltego-clients/maltego-ce.php
◦ https://warden.cesnet.cz/cs/architecture
◦ https://www.opencti.io/en/
◦ https://go.recordedfuture.com/cyber-daily
◦ https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
◦ https://digital-forensics.sans.org/blog/2009/06/18/forensics-101-acquiring-an-image-with-ftk-imager/
◦ https://www.youtube.com/watch?v=8u5HEE-JM74
◦ https://github.com/google/grr
◦ https://www.intezer.com/wp-content/uploads/2018/08/Wannacry-Small.png
References, picture sources
◦ https://any.run/img/screens/screenhd-real.png
◦ https://github.com/maliceio/malice
◦ https://github.com/CSIRT-SK/ioc-server
◦ https://github.com/CSIRT-SK/viruschecker
◦ https://www.circl.lu/assets/files/misp-training/luxembourg2017/4.2-viper.pdf
◦ https://twitter.com/mattnotmax/status/1122107157082558465
◦ https://cert.at/downloads/software/bytehist_en.html
◦ http://www.angusj.com/resourcehacker/
◦ http://www.hiew.ru/
◦ https://twitter.com/ladislav_b/status/914886748727054338
References, picture sources
◦ https://www.nirsoft.net/utils/network_traffic_view.html
◦ https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
◦ https://www.procdot.com/onlinedocumentation.htm
◦ https://tools.kali.org/reverse-engineering/edb-debugger
◦ https://github.com/cyrus-and/gdb-dashboard
◦ https://twitter.com/ladislav_b/status/955708992155799552
◦ https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
◦ https://cutter.re/
◦ https://github.com/NationalSecurityAgency/ghidra/issues/76
◦ https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
Thank you
◦ Is that all? Finished, already?

◦ No, it's just the beginning :-)